New Malware Uses Gen-AI for Persistence
Security researchers at ESET have discovered "PromptSpy," the first known Android malware to leverage generative AI. The malware reportedly abuses Google's Gemini to guide malicious user interface manipulations, allowing it to capture lockscreen data and block uninstallation attempts by achieving persistence on the device.
- Instead of relying on hardcoded screen coordinates, which can fail across different device layouts and Android versions, PromptSpy sends an XML dump of the current screen to Google's Gemini. The AI then returns JSON instructions telling the malware precisely where to tap to "lock" the app in the recent apps list, making it resistant to UI changes. - The main payload of PromptSpy is a Virtual Network Computing (VNC) module that gives attackers full remote control of the device, allowing them to see the screen and perform gestures in real-time. Communications with its command-and-control server are AES-encrypted. - To prevent removal, the malware uses Accessibility Services to create invisible overlays on top of uninstall or force-stop buttons. When a user tries to tap these buttons, they are interacting with the invisible layer, which intercepts the action. The only way to remove the malware is to reboot the device into Safe Mode. - This is the second AI-powered malware family discovered by ESET Research, following the AI-driven ransomware "PromptLock" found in August 2025. While other malware has used machine learning for tasks like ad fraud, PromptSpy is the first known instance of using *generative* AI for malicious UI manipulation on Android. - The malware is distributed through a dedicated website, not the Google Play Store, and masquerades as a JPMorgan Chase app under the name "MorganArg". Analysis of language localization suggests the campaign is financially motivated and primarily targets users in Argentina. - According to ESET researcher Lukáš Štefanko, the AI model and the prompt are hardcoded into the malware and cannot be changed. The malware saves its prompts and Gemini's responses to give the AI context for multi-step interactions. - Google has confirmed that its built-in Google Play Protect service automatically protects users against known versions of this malware, even when installed from outside the Play Store. ESET shared its findings with Google as part of the App Defense Alliance. - PromptSpy is considered an advanced evolution of a previously unknown Android malware called VNCSpy, with initial samples being uploaded to VirusTotal from Hong Kong. The code also contains clues suggesting it was developed in a Chinese-speaking environment.
